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Study  Objective 


•  Examine  cadet  social  networks  at  the  US  Military  Academy  to 
identify  network  metrics  and  processes  associated  with  security 
vulnerabilities. 

•  Identify  social  mechanisms  to  improve  security  among  college 
aged  cadets  at  the  US  Military  Academy  at  West  Point. 

•  Compare  processes  between  formal  versus  informal  networks. 
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What  is  Phishing 


Phishing  is  a  form  of  electronic  deception  in  which  an  attacker 
tries  to  obtain  personal  information  by  mimicking  a  trustworthy 
entity. 
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Background 


•  Phishing  attacks  are  becoming  widespread  and  costly  - 
$2.4M-$9.4M  in  fraud  losses  per  year 

•  Future  military  officers  are  especially  vulnerable  -  access 
to  sensitive  data. 

•  Phishing  threaten  personal  and  national  security 

•  Younger  generations  are  more  susceptible  -  more 
trustworthy  and  less  fearful  of  technology. 

•  Homophily  around  risky  behaviors  exists  among  friends 
but  not  clear  evidence  for  organizational  links. 
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Study  Design 


Part  of  a  large  scale  Army-wide  initiative  to  evaluate  security  training 

•  Training  Assessment  Study  (n=894) 

-  Send  false  phishing  emails  out  to  students 

-  Longitudinal  design  -  3  time  points  over  1  year 

-  9  military  units  assigned  to  1  of  3  conditions:  (1)  no  notification, 

(2)  notification,  (3)  given  a  10-minute  training  module  online 

-  Findings  showed  that  upper  classmen,  females  and  those  in  cond2  had 
the  greatest  reduction  in  phishing  failures  (Results  published  cisse,  2011 ) 
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Social  Network  Study  (n=i28) 


Network  Data 

-  INFORMAL  NETWORK 

Friendships:  “Who  do  you  consider  a  friend  within  the  company” 

-  FORMAL  NETWORK 

Chain  of  command:  immediate  supervisorial  chain 

Dependent  Variables 

-  PFIISHING  BEHAVIOR :  Detect  whether  student  clicked  the  embedded  link,  and  entered 
credentials 

-  WARNING  ACTIVITY:  Warn  another  cadet  within  the  company  (paper  survey) 

Analysis: 

Correlations  &  Logistic  regression 
->  centrality 

->  network  exposure  (#  alters  that  show  phishing  and  warning  behaviors) 
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Participants 


•  Participants: 

-  US  Military  Academy  cadets,  aged  18-25 

-  One  complete  military  unit  (n=1 28) 

-  89%  males 

-  30%  freshman,  28%  sophomore,  22%  junior,  20%  senior 

•  Security 

-  48%  clicked  the  embedded  link 

-  30%  entered  credentials 

-  5%  warned  others 
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Command  leadership  correlates  with: 

-  security  resilience  (decreased  phishing  failure) 

-  warning 

Informal  leadership  correlates  with: 

-  failure 

-  no  warning 
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Local  Network  Homophily 


Logistic  Regression  of  Failure 
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-  Command  relations  are  involved  with  phishing  vulnerabilities 

-  Friend  relations  are  involved  with  warning  behaviors 
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Structural  Capabilities 


Friendship  networks 

-  Characterized  as  being  highly 
centralized  and  clustered  -  few 
individuals  have  key  roles  in 
spreading  information. 

Command  networks 

-  Have  the  potential  to  be  very 
efficient  -  all  individuals  in  the 
network  can  be  reached  with 
fewer  number  of  steps  (2 
versus  5  steps,  on  average). 
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Summary  of  Results: 

Social  determinants  of  Cyber  Security 


Informal  Social  Structure 

1 .  Friendship  leadership  is  vulnerable  -  more  failure,  less  warning 

2.  Cyber  risk  resiliency  among  friends  -  while  there  is  less  *warning*  among  friends, 
there  is  homophily  around  this  behavior 


Formal  Command  Structure 

1.  Command  leadership  is  strong  -  less  failure,  more  warning. 

2.  Cyber  risk  vigilance  among  commanders/subordinates  --  reduced  security  failures 
ego  corresponds  to  higher  *failures*  and  lower  warnings  in  one’s  network. 


Multiplex  Relations 

1.  Trust  improves  security  coordination  --  Warning  was  likely  given  and  headed 
among  those  who  share  friendship  and  command  links 


Future  Work 


•  Security  training  and  research  should: 

-  Emphasize  the  importance  of  security  vigilance  (failure)  among  formal 
leadership  structures 

-  Harness  positive  behaviors  among  informal  relations  (warning) 

-  Further  explore  the  role  of  multiplex  relations  in  these  settings 

-  Utilize  high  betweenness  in  friendship  network,  and  high  closeness  in 
command  network 


•  Currently,  conducting  phishing  study  -  3  waves.  Collecting  network, 
org  identity,  and  trust  survey  data. 

•  Understand  other  ideological,  information  exchange  and  contagion 
processes  among  formal  and  informal  networks  in  military  units  - 
leadership,  ideology,  morale,  leadership,  performance. 
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Questions? 
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